[hub]

## Basic options ##
DBName = koji
DBUser = koji
{% if inventory_hostname.startswith('koji') %}
DBHost = db-koji01
DBPass = {{ kojiPassword }}
AuthPrincipal = host/koji{{env_suffix}}.fedoraproject.org
{% if env == "staging" %}
ProxyPrincipals = modularity@STG.FEDORAPROJECT.ORG,HTTP/koji.stg.fedoraproject.org@STG.FEDORAPROJECT.ORG
{% else %}
ProxyPrincipals = HTTP/koji.fedoraproject.org@FEDORAPROJECT.ORG,sigul/sign-bridge01.phx2.fedoraproject.org@FEDORAPROJECT.ORG
{% endif %}
{% elif inventory_hostname == 's390-koji01.s390.fedoraproject.org' %}
DBHost = db-s390-koji01.s390.fedoraproject.org
DBPass = {{ s390kojiPassword }}
AuthPrincipal = host/s390.koji.fedoraproject.org
ProxyPrincipals = HTTP/koji.fedoraproject.org@FEDORAPROJECT.ORG,sigul/secondary-bridge01.phx2.fedoraproject.org@FEDORAPROJECT.ORG
{% elif inventory_hostname == 'arm-koji01.qa.fedoraproject.org' %}
DBHost = db-arm-koji01.qa.fedoraproject.org
DBPass = {{ armkojiPassword }}
AuthPrincipal = host/arm.koji.fedoraproject.org
ProxyPrincipals = HTTP/koji.fedoraproject.org@FEDORAPROJECT.ORG,sigul/secondary-bridge01.phx2.fedoraproject.org@FEDORAPROJECT.ORG
{% elif inventory_hostname == 'ppc-koji01.ppc.fedoraproject.org' %}
DBHost = db-ppc-koji01.ppc.fedoraproject.org
DBPass = {{ ppckojiPassword }}
AuthPrincipal = host/ppc.koji.fedoraproject.org
ProxyPrincipals = HTTP/koji.fedoraproject.org@FEDORAPROJECT.ORG,sigul/secondary-bridge01.phx2.fedoraproject.org@FEDORAPROJECT.ORG
{% endif %}
KojiDir = /mnt/koji
MemoryWarnThreshold = 10000
MaxRequestLength = 167772160
CheckClientIP = False

# Kerb auth
{% if env == "staging" %}
HostPrincipalFormat = compile/%s@STG.FEDORAPROJECT.ORG
{% else %}
HostPrincipalFormat = compile/%s@FEDORAPROJECT.ORG
{% endif %}
AuthKeytab = /etc/koji-hub/koji-hub.keytab

##  SSL client certificate auth configuration  ##
#note: ssl auth may also require editing the httpd config (conf.d/kojihub.conf)

## the client username is the common name of the subject of their client certificate
DNUsernameComponent = CN
{% if inventory_hostname.startswith('koji') %}
## separate multiple DNs with |
ProxyDNs = emailAddress=buildsys@fedoraproject.org,CN=kojiweb,OU=Fedora Builders,O=Fedora Project,ST=North Carolina,C=US|emailAddress=releng@fedoraproject.org,CN=sign-bridge1,OU=Package Signing,O=Fedora Project,ST=North Carolina,C=US
{% elif inventory_hostname == 's390-koji01.s390.fedoraproject.org' %}
ProxyDNs = /C=US/ST=North Carolina/O=Fedora Project/OU=Fedora Builders/CN=s390.koji.fedoraproject.org/emailAddress=buildsys@fedoraproject.org|emailAddress=buildsys@fedoraproject.org,CN=secondary-signer,OU=Fedora Builders,O=Fedora Project,ST=North Carolina,C=US
{% elif inventory_hostname == 'arm-koji01.qa.fedoraproject.org' %}
ProxyDNs = /C=US/ST=North Carolina/O=Fedora Project/OU=Fedora Builders/CN=arm.koji.fedoraproject.org/emailAddress=buildsys@fedoraproject.org|emailAddress=buildsys@fedoraproject.org,CN=secondary-signer,OU=Fedora Builders,O=Fedora Project,ST=North Carolina,C=US
{% elif inventory_hostname == 'ppc-koji01.ppc.fedoraproject.org' %}
ProxyDNs = /C=US/ST=North Carolina/O=Fedora Project/OU=Buildsys/CN=ppc.koji.fedoraproject.org/emailAddress=ppc@fedoraproject.org|/C=US/ST=North Carolina/O=Fedora Project/OU=Fedora Builders/CN=secondary-signer/emailAddress=buildsys@fedoraproject.org|emailAddress=buildsys@fedoraproject.org,CN=secondary-signer,OU=Fedora Builders,O=Fedora Project,ST=North Carolina,C=US
{% endif %}

## end SSL client certificate auth configuration



##  Other options  ##
LoginCreatesUser = On
{% if inventory_hostname.startswith('koji') %}
KojiWebURL = http://koji.fedoraproject.org/koji
{% elif inventory_hostname == 's390-koji01.s390.fedoraproject.org' %}
KojiWebURL = http://s390.koji.fedoraproject.org/koji
{% elif inventory_hostname == 'arm-koji01.qa.fedoraproject.org' %}
KojiWebURL = http://arm.koji.fedoraproject.org/koji
{% elif inventory_hostname == 'ppc-koji01.ppc.fedoraproject.org' %}
KojiWebURL = http://ppc.koji.fedoraproject.org/koji
{% endif %}
# The domain name that will be appended to Koji usernames
# when creating email notifications
EmailDomain = fedoraproject.org
# Disable sending all notifications from koji, people need to use FMN now
DisableNotifications = True

## If KojiDebug is on, the hub will be /very/ verbose and will report exception
## details to clients for anticipated errors (i.e. koji's own exceptions --
## subclasses of koji.GenericError).
# KojiDebug = On

## Determines how much detail about exceptions is reported to the client (via faults)
## Meaningful values:
##   normal - a basic traceback (format_exception)
##   extended - an extended traceback (format_exc_plus)
##   anything else - no traceback, just the error message
## The extended traceback is intended for debugging only and should NOT be
## used in production, since it may contain sensitive information.
# KojiTraceback = normal

## These options are intended for planned outages
#ServerOffline = True
#OfflineMessage = Offline
# LockOut = False
## If ServerOffline is True, the server will always report a ServerOffline fault (with
## OfflineMessage as the fault string).
## If LockOut is True, the server will report a ServerOffline fault for all non-admin
## requests.

#Plugins = koji-disable-builds-plugin
#Plugins = darkserver-plugin
Plugins = fedmsg-koji-plugin runroot_hub hub_containerbuild

{% if inventory_hostname.startswith('koji') %}
[policy]


tag =
    user mbs/mbs.fedoraproject.org && tag module-* && package kernel shim grub2 fedora-release fedora-repos pesign :: allow
    user bodhi && tag *-override && package kernel shim grub2 fedora-release fedora-repos pesign :: allow
    has_perm autosign && fromtag *-pending && package kernel shim grub2 fedora-release fedora-repos pesign :: allow
    has_perm secure-boot && package kernel shim grub2 fedora-release fedora-repos pesign :: allow
    package kernel shim grub2 fedora-release fedora-repos pesign :: deny
# Allow people to tag stuff into infra-candidate if they're infra
    tag *-infra-candidate && has_perm infra :: allow
    tag *-infra-candidate :: deny
# Allow people from infra to promote builds from -infra-stg to -infra tags
    tag *-infra && fromtag *-infra-stg && has_perm infra :: allow
# These two rules makes sure people can't build srpms in infra tags and tag them into distribution tags
    tag *infra* && fromtag *infra* && has_perm infra :: allow
    fromtag *infra* :: deny
    all :: allow

channel =
    method createrepo :: use createrepo
    has req_channel :: req
    is_child_task :: parent
#we want pesign-test-app to always go to the secure-boot channel even for scratch builds
    source */pesign-test-app* && has_perm secure-boot :: use secure-boot
#make sure all scratch builds go to default channel
    method build && bool scratch :: use default

#policys to deal with secure boot allowing only people in the secure-boot group to build the packages
    source */kernel* && has_perm secure-boot :: use secure-boot
    source */shim* && has_perm secure-boot :: use secure-boot
    source */grub2* && has_perm secure-boot :: use secure-boot
    source */pesign* && has_perm secure-boot :: use secure-boot
    source */fwupdate* && has_perm secure-boot :: use secure-boot

    all :: use default



build_from_srpm =
    has_perm admin :: allow
    tag *-infra-candidate && has_perm infra :: allow
    all :: deny

{% endif %}
